This year I am delighted that we have launched our cybersecurity practice to help our clients address one of their most critical issues, that of assessing and sourcing cybersecurity talent.

Much has been written about the growing shortage of cybersecurity skills and here I share just what the scale of this shortage is and its impact on business.

The most recent report is from CapGemini.  Last month, their report, Cybersecurity Talent: The Big Gap in Cyber Protection, showed that corporate demand for cybersecurity skills is rising faster than internal supply.

They surveyed more than 1,200 senior executives and front-line employees and also included social media sentiment of more than 8,000 cybersecurity employees. 68% of organizations reported high demand for cybersecurity skills – compared to 61% demanding innovation skills and 64% needing analytics skills.

They then measured this against the availability of existing, proficient skills in the organization – and identified a 25% gap for cybersecurity skills. Their report said there was already 43% availability of proficient skills.

They predict that demand for cybersecurity talent will grow over the next 2-3 years; 72% of respondents predicted high demand for cybersecurity in 2020, compared to 68% today.

Capgemini chart

The industry magazine, Information Management, reported on two studies at the end of last year which they said gave “an alarming view of the state of data security” with organizations complaining of woeful lack of cybersecurity professionals.

The CyberSeek report from CompTIA, which tracks supply and demand in the cybersecurity space, says cybersecurity jobs must double in order to meet current demand. While the 2017 RedSeal Resilience Report says a majority of organizations lack the tools and resources they need to protect their data assets.

According to the RedSeal report, the data threat landscape is evolving much faster than security teams can respond. Nearly 80% of respondents said “they could not access insights that help to prioritize their response to a data security incident”, while 55% said they could not react quickly enough in the event of a major security incident.

Only 20% of organizations said they are extremely confident that they could run as usual after discovering a cyberattack or data breach.

It is concerning that most organizations (55%) say they don’t test their data security strategies enough because they are too resource intensive, take too much time or outside budget. It could be argued that this is because there is not enough budget commitment to this area – but the report suggests it is more down to lack of skilled people.


According to Cisco, in its 2017 Annual Cybersecurity Report, the main barriers to adopting advanced security products and solutions are budget (35% of respondents), product compatibility (28%), certification (25%) and talent (25%).

Cisco obstacles to security

cisco data 3

So what should organizations be doing?  My colleague, Raef Meeuwisse looked at this in his blog Is there really a cybersecurity skills shortage?

The CapGemini report offers the following to address the problem

  • Integrate security across the organization
  • Maximise existing skillsets – many employees are already investing to update their own skills, are they being used?
  • Think outside the box in recruitment, “for example, people on the autism spectrum are fantastic at pattern spotting and are often blessed with numerical and problem-solving skills, attention to detail and a methodical approach to work – all useful traits for cybersecurity best practice”

I would agree about thinking outside the box in recruitment and that is what we are focusing on in our practice.

However, what is interesting is that these reports cover the shortage in current cybersecurity skills, as we know them.

But I increasingly believe we need a new model of cybersecurity skills at leadership level – people who have strong technical skills but can also influence behaviours. Cybersecurity is not just about technology – it is about getting employees across the board to implement best behaviour.  Not pin their password on their computer screen, use their dog’s name for their password or fail to update as requested by IT. 

The new breed of professionals need to be great communicators and persuaders as well as having strong tech skills.

Could this open up new areas to find the cybersecurity skills we need – or will it make the skills shortage even worse?

Published in Cyber security

News release

14 February 2018

Two thirds of bank chief executives (71%) in the Middle East could be at risk of losing their jobs because they are not managing cybersecurity risks effectively.

Research shows that only 29% of Middle East banks with assets of more than $10bn have a chief information security officer (CISO) reporting directly to the chief executive – a key sign among cybersecurity professionals that an organisation is taking and managing these threats seriously. More than a third (35%) of CISOs have no direct reporting line to any C-level executives.

The research was carried out by Metin Mitchell & Co into the 49 qualifying banks in nine countries. No country was an outstanding performer; the two highest performers were Qatar (40%) and the Kingdom of Saudi Arabia at 38%.

Metin Mitchell, founder of the Dubai-based firm which specialises in executive search for Middle East financial services, said: “If cybersecurity experts are to have any impact in a bank they need more than technical skills – they also need a strong voice and business skills. They must be able to communicate effectively to the CEO and the board on the risks to both the business and shareholder values. They must also have the required budget and the ability to influence decision-making to mitigate those risks. 

“How many of today’s CISOs in the Middle East have the skills to do that? And more importantly, how many are empowered to do that and drive forward a multi disciplined approach to cybersecurity? How well a CEO prepares, and how well their team deals with a cyberattack, will all determine whether a CEO keeps their job when the bank is attacked.”

Raef Meeuwisse - ISACA governance expert, author and cybersecurity adviser to Metin Mitchell & Co – explained the importance of CISOs reporting to the chief executive: “There is a shortage of cybersecurity skills. In a market competing for resources, the best talent goes to the organizations that look most appealing to work for.

“Security staff are not like normal people. They are not interested in your sector, turnover or profit. They want to know if your organization has the security fundamentals in place. Are you likely to still be operating in a few years time? One of the easiest ways to check is simply to ask, is your CISO reporting to the main board – and in the case of financial services this would be to the chief executive.”

Metin Mitchell & Co has launched a specialist cybersecurity service to recruit senior cybersecurity talent and advise on how best to structure and manage this cybersecurity talent.

Published in Cyber security

Read more

To read more of Metin Mitchell’s insights on leadership, leave your email here:


Elsewhere online

Popular Posts

Recent Posts